The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Should Server Side Includes be disabled?

Discussion in 'Security' started by ItsMattSon, Oct 18, 2016.

  1. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi,

    Should Server Side Includes (SSI) be disabled? (from a security point of view)

    And *could* SSI be disabled? Does anything rely on it from a cPanel/WHM point of view?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Server-side includes are enabled or disabled via the following Apache options:

    "Includes" is disabled by default, but you enable or disable both options via:

    "WHM Home » Service Configuration » Apache Configuration » Global Configuration"

    Thank you.
     
  3. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi @cPanelMichael

    That's cool, good to know. I've noticed something 'off' though, whereby even though unticking Includes 'removes' Includes from the Directory / Options in /usr/local/apache/conf/httpd.conf, I can still use SSI on my domain.

    Would you know why that might be?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you provide step-by-step instructions on how you are using SSI for the account? Also, do any entries exist within the .htaccess file under the document root?

    Thank you.
     
    ItsMattSon likes this.
  5. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi,

    I checked but I've got no .htaccess files in my public_html folder unfortunately.

    I read that to test if SSI is enabled, I'd simply need to upload an index.shtml file to web root and add
    Code:
    <!--#echo var="DATE_LOCAL"-->
    into the source, and if it displays the date in the browser then SSI is enabled (and it does show the date on the page, with or without Includes checked in "WHM Home » Service Configuration » Apache Configuration » Global Configuration")
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here and we will update this thread with the outcome.

    Thank you.
     
  7. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi @cPanelMichael,

    I can save you the trouble, I was really dumb this whole time...

    In [Home »Service Configuration »Apache Configuration »Global Configuration], I was unchecking the Includes box but leaving the IncludesNOEXEC box ticked (which I guess kept Includes fully functional).

    Unchecking both, Includes is no longer working (unless I override from web root with .htaccess Options).

    To prevent that, I suspect I'll just have to rebuild EasyApache 4 without mod_include? I'm afraid I don't quite see mod_include in the list though?
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The "AllowOverride" Apache configuration value controls what users can override through their .htaccess file. You can find more information on AllowOverride at:

    core - Apache HTTP Server Version 2.4

    Thank you.
     
  9. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi @cPanelMichael,

    Thanks - What if I just wanted to remove mod_include altogether? I can't seem to find it in EasyApache to un-include it?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's compiled by default:

    Code:
    [root@edge modules]# httpd -M|grep include
    include_module (shared)
    The following URL provides information about customizing EasyApache 4:

    ea4.ninja

    However, I don't recommend removing modules installed by default, as it's possible their inclusion is required for future or existing functionality.

    Thank you.
     
    ItsMattSon likes this.
  11. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi @cPanelMichael,

    I noticed that some documents actually use SSI, such as /usr/local/cpanel/htdocs/404.shtml

    I'll leave mod_include enabled as I'm not sure what I'll be breaking. I'll need to look at your AllowOverrides solution. Thanks!
     
    cPanelMichael likes this.
Loading...

Share This Page